Fault tolerant electronic braking system

ABSTRACT

A fault tolerant electronic braking system for a vehicle has a brake pedal arranged to provide an electronic signal in response to operation thereof. A number of braking nodes are coupled to the brake pedal, each node being arranged to control a brake actuator. Each brake node has a controller arranged for processing the first signal to provide a second signal for controlling the brake actuator, and for providing third signals for transmission to the other control means. The third signals are the expected second signal results of the other controllers. Each controller is arranged to compare the second signal with the third signals received from the other controllers such that errors detected between the second and third signals indicate faults in the controllers.

FIELD OF THE INVENTION

This invention relates to fault-tolerant electronic braking systems.

BACKGROUND OF THE INVENTION

In recent years, automobile manufacturers have sought to replace manyexpensive mechanical components with electronic components. Futureautomotive designs contemplate the removal of even more mechanicalcomponents, particularly in respect of control linkages to the engine,wheels, etc., replacing them with ‘by-wire’ technology, partiallyderived from the ‘fly-by-wire’ technology associated with the aircraftindustry.

For example, the hydraulic or mechanical braking system of an automobilemay be replaced by a microprocessor controlled system, having a pedalwhich, upon actuation by the driver, transmits electronic signals tobrake actuators located in proximity to the brakes. The brake actuatorsapply the brakes in dependence upon the electronic signals.

In safety critical applications, such as the brake system describedabove, the system must be fault-tolerant, such that if a fault shouldoccur, at least some functionality of the system will continue. Knownarrangements to provide fault-tolerance include redundant systems havingtwo or more microprocessors which operate independently of each otherand cross-check each other to detect faults.

A problem with this arrangement is that the larger the number ofprocessors, the more cost is added to the system, and the fewer thenumber of processors, the greater the chances of all processors in thesystem developing a fault.

This invention seeks to provide a fault-tolerant electronic brakingsystem which mitigates the above mentioned disadvantages.

SUMMARY OF THE INVENTION

According to the present invention there is provided a fault-tolerantelectronic braking system for a vehicle, comprising: a user operatedinput arranged to provide a first signal in response to operationthereof; and, at least three braking nodes coupled to the user operatedinput, each node being arranged to control at least one brake actuator,each node having control means arranged for processing the first signalto provide a second signal for controlling the at least one brakeactuator, and to provide a plurality of third signals to the at leasttwo other control means, the third signals being expected second signalresults of the at least two other control means; wherein each controlmeans is arranged to compare the second signal with the third signalsreceived from the at least two other control means such that errorsdetected between the second and third signals indicate faults in the atleast three control means.

Preferably upon detection of a fault, each control means uses a votingscheme to determine which of the second and third signals is to be usedas a fourth signal to control each of the brake actuators.

Each control means is also preferably arranged to transmit the fourthsignal to the at least two other control means, in order to verifywhether the voting scheme has been used correctly.

The at least three brake nodes are preferably distributed in mutuallyremote locations the vehicle. Preferably the first signal is adaptedsuch that it is transmitted to the at least three brake nodes in asynchronous manner.

The first signal is preferably re-transmitted by each of the controlmeans, for further fault detection. Preferably the at least three brakenodes comprise four brake nodes, each arranged to control one of fourbrake actuators.

In this way a fault-tolerant electronic braking system is provided whichis cost effective, with improved fault-tolerance and enhancedfault-detection.

BRIEF DESCRIPTION OF THE DRAWING

An exemplary embodiment of the invention will now be described withreference to the single FIGURE drawing which shows a preferredembodiment of a fault-tolerant electronic braking system in accordancewith the invention.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

Referring to the single FIGURE drawing, there is shown a fault-tolerantelectronic braking system 5 for a vehicle (not shown), including first,second, third, and fourth wheel nodes having electronic control units(ECUs) 10, 20, 30 and 40, which are distributed in mutually remotelocations of the vehicle. Each of the first, second, third, and fourthECUs 10, 20, 30 and 40, are coupled to associated first, second, thirdand fourth brake actuators 15, 25, 34, 45 respectively.

The first, second, third, and fourth ECUs 10, 20, 30 and 40 respectivelyare also each coupled to first and second buses 7 and 8 respectively.The brake pedal unit 50 (shown as Pedal) is also connected to the firstand second buses 7 and 8 respectively. The first and second buses 7 and8 respectively are substantially identical and are both arranged toprovide synchronous signals according to a Time Division Multiple Accessscheme (TDMA) or similar.

High level functions of current braking systems may be integrated intothe system 5 via a (high level) ECU 60 attached to the buses 7 and 8, orby a gateway to an ECU (not shown).

The brake pedal unit 50 has a transducer (not shown) and is arranged toprovide first electronic signals to the first and second buses 7 and 8respectively in response to a conventional force applied to a brakepedal (not shown) of the unit 50. The brake pedal unit 50 may bearranged to pre-process the signals.

Each of the first, second, third, and fourth ECUs 10, 20, 30, 40, canoperate independently from the other ECUs if required, and are able toprovide a processed result signal to the associated brake actuator 15,25, 35 or 45 in response to the first signals received from the brakepedal unit 50. In this way a basic braking function is achieved, whichis the minimum required for safe operation, not necessarily includinghigher level functions such as vehicle stability management or tractioncontrol. The provision of first and second buses 7 and 8 providesfault-tolerance in the case of a problem occurring therein.

In addition, each of the first, second, third, and fourth 10, 20, 30,40, ECUs, performs a similar algorithm using the same first signalsreceived from the brake pedal unit 50, and provides the first signalsand the result signals to the other ECU's. In this way each of thefirst, second, third, and fourth ECUs 10, 20, 30, 40, can detectincorrect operation by comparing its received first signals and resultsignals with those of the other ECUs.

As four ECUs are available to check data against, it is possible to notonly detect that there is a problem somewhere in the system 5, but alsoto identify the faulty ECU. A faulty ECU can therefore be identified,either by itself, or by the majority of the ECUs in the system 5 via avoting procedure, whereby the ECU having the most different resultscompared to the other ECUs is considered to be faulty.

After a fault has been identified, appropriate action can be taken, suchas logging the fault, running diagnostics, or resetting or disabling thenode. If an ECU is disabled due to a fault, the system 5 can be arrangedsuch that the main braking function will be re-distributed across theoperating ECUs.

As each ECU checks its operation against the other ECUs, faults can bedetected that may be undetectable by using a simpler self-test type ofchecking in isolation. For example, an ECU may exhibit a fault where itdecodes the received signals from the brake pedal unit 50 incorrectly,but the decoded value is still within the allowed range. The ECU wouldpass a self-test, and act on the faulty data if no other tests wereperformed, but with the described checking against other ECUs, theincorrect data would be detected.

As each ECU regularly re-transmits their received signals, the system 5is able to survive faults that would otherwise cause it to be partiallydisabled.

For example, if the first ECU 10 cannot access the electronic signalsfrom the brake pedal unit 50 directly due to a communications fault, itcan use the electronic signals passed via the second, third or fourthECUs 20, 30 and 40 respectively.

An advantage gained from this layout is that identical signals from thebrake pedal unit 50 is available to all parts of the system 5 at thesame time. This simplifies the error-detection task, as when correctlyoperating, all ECUs can perform identical operations on identicalsignals, and any differences indicate a fault.

It will be appreciated that alternative embodiments to the one describedabove are possible. For example, a single rear brake ECU could be usedto replace the third and fourth ECUs 30 and 40, whereby the single rearbrake ECU would be coupled to the third and fourth brake actuators 35and 45 respectively.

What is claimed is:
 1. A fault tolerant electronic braking system for avehicle, comprising: a user operated input arranged to provide a firstsignal in response to operation thereof; and, at least three brakingnodes coupled to the user operated input, each node being arranged tocontrol at least one brake actuator, each node having control meansarranged for processing the first signal to provide a second signal forcontrolling the at least one brake actuator, and to provide a pluralityof third signals to the at least two other control means, the thirdsignals being the second signal results of the at least two othercontrol means; wherein each control means is arranged to compare thesecond signal with the third signals received from the at least twoother control means such that errors detected between the second andthird signals indicate faults in the at least three control means. 2.The system of claim 1 wherein the first signal is re-transmitted by eachof the control means, for further fault detection.
 3. The system ofclaim 1 wherein the at least three brake nodes comprise four brakenodes, each arranged to control one of four brake actuators.
 4. Thesystem of claim 1 wherein the at least three brake nodes are disttibutedin mutually remote locations of the vehicle.
 5. The system of claim 4wherein the first signal is adapted such that it is transmitted to theat least three brake nodes in a synchronous manner.
 6. The system ofclaim 4 wherein the first signal is re-transmitted by each of thecontrol means, for further fault detection.
 7. The system of claim 4wherein the at least three brake nodes comprise four brake nodes, eacharranged to control one of four brake actuators.
 8. The system of claim4 wherein the at least three brake nodes comprise four brake nodes, eacharranged to control one of four brake actuators.
 9. The system of claim4 wherein the at least three brake nodes comprise four brake nodes, eacharranged to control one of four brake actuators.
 10. The system of claim1 wherein the first signal is adapted such that it is transmitted to theat least three brake nodes in a synchronous manner.
 11. The system ofclaim 10 wherein the at least three brake nodes comprise four brakenodes, each arranged to control one of four brake actuators.
 12. Thesystem of claim 10 wherein the at least three